Skip to content

Commit 9e7d832

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Convert BrowserRequestForgery.ql to to use the new dataflow API
1 parent 701d39d commit 9e7d832

File tree

2 files changed

+11
-12
lines changed

2 files changed

+11
-12
lines changed

javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll

+8-9
Original file line numberDiff line numberDiff line change
@@ -16,31 +16,30 @@
1616
* A taint tracking configuration for client-side request forgery.
1717
* Server side is disabled since this is in the browser, but the extra models can be enabled for extra coverage
1818
*/
19-
class Configuration extends TaintTracking::Configuration {
20-
Configuration() { this = "ClientSideRequestForgery" }
21-
22-
override predicate isSource(DataFlow::Node source) {
19+
module Config implements DataFlow::ConfigSig {
20+
predicate isSource(DataFlow::Node source) {
2321
exists(Source src |
2422
source = src and
2523
not src.isServerSide()
2624
) or
2725
source instanceof OnMessageExternal or source instanceof OnConnectExternal
2826
}
2927

30-
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
28+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
3129

32-
override predicate isSanitizer(DataFlow::Node node) {
33-
super.isSanitizer(node) or
30+
predicate isBarrier(DataFlow::Node node) {
3431
node instanceof Sanitizer
3532
}
3633

37-
override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
34+
predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
3835

39-
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
36+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
4037
isAdditionalRequestForgeryStep(pred, succ)
4138
}
4239
}
4340

41+
module ConfigFlow = TaintTracking::Global<Config>;
42+
4443
class BrowserStep extends DataFlow::SharedFlowStep {
4544
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
4645
(exists (DataFlow::ParameterNode p |

javascript/src/audit/CWE-918/BrowserRequestForgery.ql

+3-3
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,11 @@
1313

1414
import javascript
1515
import browserextension.BothSidesRequestForgeryQuery
16-
import DataFlow::PathGraph
16+
import ConfigFlow::PathGraph
1717

18-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
18+
from ConfigFlow::PathNode source, ConfigFlow::PathNode sink, DataFlow::Node request
1919
where
20-
cfg.hasFlowPath(source, sink) and
20+
ConfigFlow::flowPath(source, sink) and
2121
request = sink.getNode().(Sink).getARequest()
2222
select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
2323
sink.getNode().(Sink).getKind(), source, "user-provided value"

0 commit comments

Comments
 (0)